search

EUCweb / BIS-F

Base Image Script Framework (BIS-F)
https://eucweb.com
GNU General Public License v3.0
96 stars 34 forks source link

Matrix42 UEM Agent Windows #332

Open FSE-SYSADMIN opened 2 years ago

FSE-SYSADMIN commented 2 years ago

The new Empirum Agent named "Matrix42 UEM Agent Windows" is not supported by BISF.

The UEM Agent no longer uses the "eris" service, but only the "Matrix42UAF" service and the AgentConfig.xml file is now located at C:\Program Files\Matrix42\Universal Agent Framework\AgentConfig.xml. So the script does not really clean up the agent configuration.

Some people will still use this agent because the vendor offers premium support for a special LTSR version.

Attached a few Screenshots BISF Script Log 2021-11-24 13_33_34-Window

BISF Script config servicename 2021-11-24 13_34_22-Window

Matrix42 UEM Agent service name 2021-11-24 13_35_28-Window

bladeoner commented 2 years ago

@FSE-SYSADMIN can you test the attached script by replacing 10_PrepBISF_Empirum.ps1? 10_PrepBISF_Empirum.zip

I've added the following: Old: $ServiceNames = @("Eris", "MATRIXAUT") New: $ServiceNames = @("Eris", "MATRIXAUT", "Matrix42UAF")

Thanks in advance.

If it works I can be send in as a PR.

FSE-SYSADMIN commented 2 years ago

It doesn't work unfortunately. image

I think that the variable $empirum_path must be changed to "C:\Program Files\Matrix42\Universal Agent Framework\". But as written in my previous post, the old agent should still be supported as well. We are currently in a transition phase. Unfortunately my Powershell skills are not yet sufficient for this ;)

bladeoner commented 2 years ago

@FSE-SYSADMIN thank you for the quick response.

I have an idea how to do it, I will look into it later this week and keep you informed.

bladeoner commented 2 years ago

@FSE-SYSADMIN I've added a ForEach, with that it can go through both locations. 10_PrepBISF_Empirum_08182022.zip

Can you test if it works and let me know?

Thanks in advance.

FSE-SYSADMIN commented 2 years ago

The same error in the BISF log file as above.

It seems that only the first service from the $servicename array is checked and since it is not present, the script exits.

bladeoner commented 2 years ago

I've replaced the function with the following:

$svc = Test-BISFService -ServiceName "$Svc1"
if ($svc -eq $true) {
    Invoke-BISFService -ServiceName "$Svc1" -Action Stop 
}

$svc = Test-BISFService -ServiceName "$Svc2"
if ($svc -eq $true) {
    Invoke-BISFService -ServiceName "$Svc2" -Action Stop 
}

$svc = Test-BISFService -ServiceName "$Svc3"
if ($svc -eq $true) {
    Invoke-BISFService -ServiceName "$Svc3" -Action Stop 
}

Can you try the attached file and let me know if it works? 10_PrepBISF_Empirum_08242022.zip

Thanks in advance.

I'm not able to test it completely, but when I run the modified file I get 3 responses in the logfile of all 3 services that they don't exist

FSE-SYSADMIN commented 2 years ago

Now it works a little bit. The BISF log file is there now: image

But there are some errors in the PS output: image

bladeoner commented 2 years ago

@FSE-SYSADMIN thank you for your patience and testing.

I made some adjustments on how to handle the errors.

When you find some time can you test the following file? 10_PrepBISF_Empirum_08252022.zip

Thanks in advance.

FSE-SYSADMIN commented 2 years ago

Yes, that looks much better! The first part of the removal (Agent LocalCache) works! Thank you very much for your work!

In the second part of the removal (reg keys) there are some reg keys that are not removed by the script: Remove-Item "$hklm_sw\MATRIX42\AGENT" -Force -ErrorAction SilentlyContinue Has no change: image

    Remove-Item "$hklm_sw\MATRIX42\EmpInv" -Force -ErrorAction SilentlyContinue

Also has no change: image

bladeoner commented 2 years ago

Does it work when you run the following manually from a Powershell shell (admin)? Remove-Item "$hklm_sw\MATRIX42\AGENT" -Force Remove-Item "$hklm_sw\MATRIX42\EmpInv" -Force

FSE-SYSADMIN commented 2 years ago

No. I get the error: image

It seems that the variable $hklm_sw has no content.

bladeoner commented 2 years ago

I was testing it at the same time with another registry value on my machine, I also get an error.

Can you verify the following works? Remove-Item "HKLM:\Software\MATRIX42\AGENT" -Force Remove-Item "HKLM:\Software\MATRIX42\EmpInv" -Force

bladeoner commented 2 years ago

If it works attached is a new file containing the changes: 10_PrepBISF_Empirum_08252022.zip

FSE-SYSADMIN commented 2 years ago

Oh, this change needs to be confirmed: image

bladeoner commented 2 years ago

@FSE-SYSADMIN I've added the -Recurse parameter to the cleanup of the registry keys. 10_PrepBISF_Empirum_08252022.zip

FSE-SYSADMIN commented 2 years ago

YES. Now it works! Thank you very much again!

bladeoner commented 2 years ago

That's good to hear, I will open a PR.